摘要

本文部分内容来源于网络，个人收集整理，请勿传播

使用strongswan配置ipsec隧道打通vpc与办公网

官方下载地址

安装strongswan

安装依赖

1	yum install -y pam-devel openssl-devel make gcc curl wget

设置环境变量

WORKDIR="/usr/local/src"
INSTALL_DIR="/usr/local/product"
SOFT_DIR="/usr/local"
VERSION="5.6.2"

编译安装

cd ${WORKDIR}
wget https://download.strongswan.org/strongswan-${VERSION}.tar.gz
tar xvf strongswan-${VERSION}.tar.gz && cd strongswan-${VERSION}
./configure \
--prefix=${INSTALL_DIR}/strongswan-${VERSION} \
--enable-eap-identity \
--enable-eap-md5 \
--enable-eap-mschapv2 \
--enable-eap-tls \
--enable-eap-ttls \
--enable-eap-peap \
--enable-eap-tnc \
--enable-eap-dynamic \
--enable-eap-radius \
--enable-xauth-eap \
--enable-xauth-pam \
--enable-dhcp \
--enable-openssl \
--enable-addrblock \
--enable-unity \
--enable-certexpire \
--enable-radattr \
--enable-swanctl \
--enable-openssl \
--disable-gmp

make && make install
ln -s ${INSTALL_DIR}/strongswan-${VERSION} ${SOFT_DIR}/strongswan

修改配置

mkdir -p /data/logs/strongswan

cat strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
    interfaces_use = eth0
	load_modular = yes
    filelog {
        /data/logs/strongswan/strongswan.charon.log {
           time_format = %b %e %T
           default = 1
           append = yes
           flush_line = yes
        }
    }
	plugins {
		include strongswan.d/charon/*.conf
	}
}

include strongswan.d/*.conf

###############

cat ipsec.conf
config setup
    uniqueids = never
    charondebug="ike 4, knl 4, net 4, cfg 4"

conn %defualt
    type=tunnel
    ikelifetime=60m
    keylife=5m
    dpddelay=10s
    rekeymargin=3m
    keyingtries=3
    mobike=no

conn site-to-site-beijing
    keyexchange=ikev1
    left=0.0.0.0
    leftid=vpc-beijing
    leftsubnet=172.16.1.0/24
    leftfirewall=no
    right=x.x.x.x
    rightid=BaseManager
    authby=secret
    ike=aes128-sha1-modp1024
    esp=aes128-sha1
    rightsubnet=172.32.0.0/16
    auto=start

生成ca证书

待续。。。

进行CA配置
CA 生成存放目录为 /usr/local/src/ca
创建ca目录
mkdir /usr/local/src/ca

生成私钥和根证书,并且根证书使用的是自签名形式
这里C表示国家名,O表示组织单位，CN表示通用名字

ipsec pki --gen --outform pem > ca.key.pem
ipsec pki --self --in ca.key.pem --dn "C=CN, O=MyStrongSwan, CN=MyStrongSwan CA" --ca --lifetime 3650 --outform pem > ca.cert.pem
生成服务器证书
ipsec pki --gen --outform pem > server.key.pem
ipsec pki --pub --in server.key.pem --outform pem > server.pub.pem
ipsec pki --issue --lifetime 1200 --cacert ca.cert.pem --cakey ca.key.pem --in server.pub.pem --dn "C=CN, O=MyStrongSwan, CN=myDomain.com" --san="myDomain.com" --san="YourIP" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem
注意事项 ： 服务器这边的CN一定是你网卡的ip，或者你网卡ip对应的域名，--san 设置设置别名，建议设置两个或者两个以上，分别为你的域名和网卡ip;–flag serverAuth 表示证书使用用途，不加windows 7会报错，非 iOS 的 Mac OS X 要求了“IP 安全网络密钥互换居间（IP Security IKE Intermediate）”这种增强型密钥用法（EKU），–flag ikdeIntermediate;

生成客户端证书 （可选）
ipsec pki --gen --outform pem > client.key.pem
ipsec pki --pub --in client.key.pem --outform pem > client.pub.pem
ipsec pki --issue --lifetime 1200 --cacert ca.cert.pem --cakey ca.key.pem --in client.pub.pem --dn "C=CN, O=MyStrongSwan, CN=MyDomain.com" --outform pem > client.cert.pem

#以下生成证书需要密码地，请设置密码，因为MAC不能导入密码为空的证书
openssl pkcs12 -export -inkey client.key.pem -in client.cert.pem -name "MyStrongSwan Client Cert" -certfile ca.cert.pem -caname "MyStrongSwan CA" -out client.cert.p12
安装证书
\cp -r ca.key.pem /usr/local/strongswan/etc/ipsec.d/private/
\cp -r ca.cert.pem /usr/local/strongswan/etc/ipsec.d/cacerts/
\cp -r server.cert.pem /usr/local/strongswan/etc/ipsec.d/certs/
\cp -r server.key.pem /usr/local/strongswan/etc/ipsec.d/private/
\cp -r client.cert.pem /usr/local/strongswan/etc/ipsec.d/certs/
\cp -r client.key.pem /usr/local/strongswan/etc/ipsec.d/private/
配置ipsec.conf
vim /usr/local/strongswan/etc/ipsec.conf

    config setup
        uniqueids=no
    conn %default
        compress = yes
    ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
    esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
    keyexchange = ike
    keyingtries = 1
    #for andorid、ios、mac 
    conn cisco_xauth_psk
        left = %any
        leftid = YourIP or Domain
        leftauth = psk
        leftfirewall = yes
        fragmentation = yes
        leftsubnet = 0.0.0.0/0
        right = %any
        rightauth = psk
        rightauth2 = xauth
        rightsourceip = 172.16.6.0/24
        rekey = no
        auto = add     
        dpdaction=clear
    #for windows 7/10 , strongswan agent and other ca
    conn IKEv2-EAP-Windows
        leftca = "C=CN, O=,MyStrongSwan; CN=YourIP or domain"
        leftcert = server.cert.pem
        leftsendcert = always
        rightsendcert = never
        leftid = YourIP or domain
        left = %any
        right = %any
        leftauth = pubkey   #使用证书形式认证
        rightauth = eap-radius  #认证使用radius
        leftfirewall = yes
        leftsubnet = 0.0.0.0/0  #全部流量走vpn
        rightsourceip = 172.16.7.0/24
        fragmentation = yes  #包重组
        eap_identity = %any
        rekey = no  #不重复检查，用来开启多设备登录
        auto = add
    dpdaction=clear #断开后清空
配置 strongswan.conf
vim /usr/local/strongswan/etc/strongswan.conf

charon {
    filelog {
               /var/log/strongswan.charon.log {
                   time_format = %b %e %T
                   default = 2
                   append = no
                   flush_line = yes
               }
       }
    load_modular = yes
    duplicheck.enable = no #是为了你能同时连接多个设备，所以要把冗余检查关闭
    compress = yes
    plugins {
        include strongswan.d/charon/*.conf
    }
    dns1 = 8.8.8.8
    dns2 = 223.5.5.5
#only for windows
    nbns1 = 8.8.8.8
    nbns2 = 223.5.5.5
}
include strongswan.d/*.conf
配置 ipsec.secrets
: RSA server.key.pem
: PSK "visionsrv"
: XAUTH "visionsrv"
 myvpn %any : EAP "123456"
配置Firewall和转发
1.开放端口
firewall-cmd --add-port=500/tcp --permanent
firewall-cmd --add-port=500/udp --permanent
firewall-cmd --add-port=4500/tcp --permanent
firewall-cmd --add-port=4500/udp --permanent
firewall-cmd --add-masquerade --permanent
firewall-cmd --reload
2.编辑 /etc/systcl.conf

vim /etc/sysctl.conf

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
3.开启 firewall的转发功能

iptables -t nat -A POSTROUTING -s 172.16.6.0/24 -o ens160 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.7.0/24 -o ens160 -j MASQUERADE
启动服务
    ipsec start
    systemctl restart strongswan
三、 各种终端测试